NAT的match-in-vrf功能介绍
来源:互联网 发布:labview 算编程吗 编辑:程序博客网 时间:2024/06/13 15:16
1. inside接口在VRF green1, outside接口在VRF green1,测试如下
如果没有match-in-vrf的话,那么ip alias中就没有该globa地址的entry,自然无法响应arp了。
ASR1013-2#sh run vrf green1Building configuration...Current configuration : 515 bytesvrf definition green1 ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family!!interface GigabitEthernet0/0/0 vrf forwarding green1 ip address 90.1.0.1 255.255.255.0 ip nat outside load-interval 30 negotiation auto cdp enable!interface GigabitEthernet0/0/1 vrf forwarding green1 ip address 100.100.100.1 255.255.255.0 ip nat inside load-interval 30 negotiation auto cdp enableip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 match-in-vrf!!endASR1013-2#show ip aliasAddress Type IP Address PortInterface 10.74.9.121 Interface 90.1.0.1 Dynamic 90.1.0.14 Interface 100.100.100.1 Interface 192.168.1.2 ASR1013-2#conf tEnter configuration commands, one per line. End with CNTL/Z.ASR1013-2(config)#no ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 match-in-vrfASR1013-2(config)#ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 ASR1013-2(config)#endASR1013-2#show ip aliasAddress Type IP Address PortInterface 10.74.9.121 Interface 90.1.0.1 Interface 100.100.100.1 Interface 192.168.1.2 ASR1013-2#show ip alias vrf green1Address Type IP Address PortInterface 90.1.0.1 Interface 100.100.100.1 ASR1013-2#conf tEnter configuration commands, one per line. End with CNTL/Z.ASR1013-2(config)#no ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 ASR1013-2(config)# ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 match-in-vrf ASR1013-2(config)#do show ip alias vrf green1Address Type IP Address PortInterface 90.1.0.1 Dynamic 90.1.0.14 Interface 100.100.100.1 ASR1013-2(config)#endASR1013-2#
2. inside接口和outside接口都不在VRF内
在指定NAT rule的时候,不需要vrf信息。
ASR1013-2#sh run inter gi 0/0/0Building configuration...Current configuration : 137 bytes!interface GigabitEthernet0/0/0 ip address 90.1.0.1 255.255.255.0 ip nat outside load-interval 30 negotiation auto cdp enableendASR1013-2#sh run inter gi 0/0/1Building configuration...Current configuration : 141 bytes!interface GigabitEthernet0/0/1 ip address 100.100.100.1 255.255.255.0 ip nat inside load-interval 30 negotiation auto cdp enableendASR1013-2#sh run | in ip nat ip nat outside ip nat insideip nat inside source static 100.100.100.142 90.1.0.14alias exec trans sh ip nat translations totalalias exec natfull sh ip nat translations filter entry-type full totalalias exec nathalf sh ip nat translations filter entry-type half all totalASR1013-2#show ip aliasAddress Type IP Address PortInterface 10.74.9.121 Interface 90.1.0.1 Dynamic 90.1.0.14 Interface 100.100.100.1 Interface 192.168.1.2 ASR1013-2#
3. inside接口在vrf内,outside接口在global中。
这种情况是最普遍的情况,接收多种接入方法,进来的流量来自于不同的vrf,但是,共用同一个global地址。
这种情况下,nat rule既可以不用vrf,也可以用vrf,还可以vrf + match-in-vrf
ASR1013-2#sh run inter gi 0/0/0Building configuration...Current configuration : 137 bytes!interface GigabitEthernet0/0/0 ip address 90.1.0.1 255.255.255.0 ip nat outside load-interval 30 negotiation auto cdp enableendASR1013-2#sh run inter gi 0/0/1Building configuration...Current configuration : 164 bytes!interface GigabitEthernet0/0/1 vrf forwarding green1 ip address 100.100.100.1 255.255.255.0 ip nat inside load-interval 30 negotiation auto cdp enableendASR1013-2#sh run | in ip nat inside ip nat insideip nat inside source static 100.100.100.142 90.1.0.14ASR1013-2#show ip aliasAddress Type IP Address PortInterface 10.74.9.121 Interface 90.1.0.1 Dynamic 90.1.0.14 Interface 100.100.100.1 Interface 192.168.1.2 ASR1013-2#conf tEnter configuration commands, one per line. End with CNTL/Z.ASR1013-2(config)#no ip nat inside source static 100.100.100.142 90.1.0.14ASR1013-2(config)#ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1ASR1013-2(config)#do sh ip aliasAddress Type IP Address PortInterface 10.74.9.121 Interface 90.1.0.1 Dynamic 90.1.0.14 Interface 100.100.100.1 Interface 192.168.1.2 ASR1013-2(config)#no ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1ASR1013-2(config)#ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 matchASR1013-2(config)#ip nat inside source static 100.100.100.142 90.1.0.14 vrf green1 match-in-vrf ASR1013-2(config)#do sh ip aliasAddress Type IP Address PortInterface 10.74.9.121 Interface 90.1.0.1 Dynamic 90.1.0.14 Interface 100.100.100.1 Interface 192.168.1.2 ASR1013-2(config)#endASR1013-2#
4. inside接口在globa,outside接口在vrf内,该情况比较特殊,一般没有了。
5. inside接口在vrf A中,outside接口在vrf B中,其实,这就是VASI的实现了。
一言以蔽之,NAT和普通路由有些不一样,inside和outside可以在globa和vrf内,有四种组合。 而,match-in-vrf功能主要是针对inside和outside都在vrf内的用途的。
Reference:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/nat-xe-3s-asr1k-book/iadnat-match-vrf.html
0 0
- NAT的match-in-vrf功能介绍
- VRF间的重分布
- VRF间的重分布
- NAT介绍及iptables配置NAT的方法
- NAT介绍
- NAT 介绍
- NAT 介绍
- NAT介绍
- show ip vrf interfaces --check 检查接口加入的 vrf 配置
- Linux下NAT功能的实现
- Linux下NAT功能的实现
- Linux下NAT功能的实现 do_bindings()
- NAT分类介绍及其打洞的思考
- NAT和NAT穿透介绍
- NAT和NAT穿透介绍
- NAT介绍,防火墙介绍
- bgp/mpls vpn工程--- 加入vrf补丁后的问题
- Linux VRF(Virtual Routing Forwarding)的原理和实现
- oracle 11g gateway 连接sql server 2000
- UVA 784 Maze Exploration
- Android开发之接收系统广播消息
- android的logcat详细用法
- uva 10564 - Paths through the Hourglass
- NAT的match-in-vrf功能介绍
- Babelfish(字典树 or map)
- 来北京的这些日子
- hdu1282(字符串回文)
- 算法设计之,堆,堆排序,基于最大堆的最大优先队列的实现(C++实现)
- /usr/include/linux/netfilter.h: 错误:‘in’的类型不完全,netfilter_ipv4.h:53: ‘INT_MIN’‘INT_MAX’未声明解决方法
- 计算几何算法概览
- 后缀数组·小结
- [HDOJ 4913] Least common multiple [动态规划+线段树]
